Site-To-Site
These scenarios show how to configure VPN site-to-site connections.
Test One P2P Tunnel
Description
Simple VPN site-to-site configuration with a single tunnel in the main VRF.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY
Step 3: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.399 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.399/0.399/0.399/0.000 ms
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.426 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.426/0.426/0.426/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #1, ESTABLISHED, IKEv2, 9acfc3259110f887_i* 9aa7122a1bea64ba_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 21665s peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3359s, expires in 3960s in c4e806eb, 168 bytes, 2 packets, 1s ago out cdfd4f0d, 168 bytes, 2 packets, 1s ago local 10.0.0.1/32 remote 10.0.0.2/32
Test One P2P Tunnel with VRFs
Description
Single-VRF VPN site-to-site configuration-.
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY set system vrf A set interfaces eth0.10 vrf A set vpn ipsec site-to-site peer SITE1 local-vrf A set vpn ipsec site-to-site peer SITE1 tunnel 1 local-interface eth0.10
Step 3: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf A count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than A. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 A: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.498 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.498/0.498/0.498/0.000 ms
Step 4: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.383 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.383/0.383/0.383/0.000 ms
Step 5: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #1, ESTABLISHED, IKEv2, bcbb213897ec8f8f_i* b54e06b146756231_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 20936s peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3375s, expires in 3959s in c1fdc620, 168 bytes, 2 packets, 1s ago out c59b78fa, 168 bytes, 2 packets, 1s ago local 10.0.0.1/32 remote 10.0.0.2/32
Test Two P2P Tunnels With VRFs
Description
Multiple VPN site-to-site connections using different VRFs (no overlapped IP addresses).
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT2:
set interfaces eth0.20 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.3 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 3: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY set system vrf A set interfaces eth0.10 vrf A set vpn ipsec site-to-site peer SITE1 local-vrf A set vpn ipsec site-to-site peer SITE1 tunnel 1 local-interface eth0.10 set system vrf B set interfaces eth1.20 address 10.0.0.3/24 set interfaces eth1.20 vrf B set vpn ipsec site-to-site peer SITE2 local-vrf B set vpn ipsec site-to-site peer SITE2 tunnel 1 local-interface eth1.20 set vpn ipsec site-to-site peer SITE2 local-address 10.0.0.3 set vpn ipsec site-to-site peer SITE2 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE2 tunnel 1 local prefix 10.0.0.3/32 set vpn ipsec site-to-site peer SITE2 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE2 auth-profile AUTH set vpn ipsec site-to-site peer SITE2 connection-type initiate set vpn ipsec site-to-site peer SITE2 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE2 tunnel 1 esp-group ESP-POLICY
Step 4: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf A count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than A. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 A: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.387 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.387/0.387/0.387/0.000 ms
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.465 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.465/0.465/0.465/0.000 ms
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf B count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than B. PING 10.0.0.2 (10.0.0.2) from 10.0.0.3 B: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.321 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.321/0.321/0.321/0.000 ms
Step 7: Ping IP address 10.0.0.3 from DUT2:
admin@DUT2$ ping 10.0.0.3 count 1 size 56 timeout 1Show output
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.335 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.335/0.335/0.335/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #2, ESTABLISHED, IKEv2, 63a36c7110ba9095_i* c2e5ba21155fbc3c_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 22605s peer-SITE1-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3396s, expires in 3959s in c869fd08, 168 bytes, 2 packets, 1s ago out c7e92b67, 168 bytes, 2 packets, 1s ago local 10.0.0.1/32 remote 10.0.0.2/32 vpn-peer-SITE2: #1, ESTABLISHED, IKEv2, 96a6cf0bc02586ed_i* 98818d48db91e941_r local '10.0.0.3' @ 10.0.0.3[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 15605s peer-SITE2-tunnel-1: #1, reqid 2, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3368s, expires in 3959s in c255f948, 168 bytes, 2 packets, 0s ago out cf0bf797, 168 bytes, 2 packets, 0s ago local 10.0.0.3/32 remote 10.0.0.2/32
Test Two P2P Tunnels With VRFs And Overlapped IP Addresses
Description
Multiple VPN site-to-site connections using different VRFs (overlapped IP addresses).
Scenario
Step 1: Set the following configuration in DUT1:
set interfaces eth0.10 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY
Step 2: Set the following configuration in DUT2:
set interfaces eth0.20 address 10.0.0.2/24 set vpn ipsec site-to-site peer SITE remote-address 10.0.0.3 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE local-address 10.0.0.2 set vpn ipsec site-to-site peer SITE tunnel 1 local prefix 10.0.0.2/32 set vpn ipsec site-to-site peer SITE tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE auth-profile AUTH set vpn ipsec site-to-site peer SITE connection-type respond set vpn ipsec site-to-site peer SITE ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE tunnel 1 esp-group ESP-POLICY del vpn ipsec site-to-site peer SITE remote-address set vpn ipsec site-to-site peer SITE remote-address 10.0.0.1
Step 3: Set the following configuration in DUT0:
set interfaces eth0.10 address 10.0.0.1/24 set vpn ipsec auth-profile AUTH local auth pre-shared-secret test set vpn ipsec esp-group ESP-POLICY lifetime 8 MB set vpn ipsec esp-group ESP-POLICY proposal 1 encryption aes128gmac set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY dead-peer-detection interval 60 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes128 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec site-to-site peer SITE1 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE1 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE1 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE1 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE1 auth-profile AUTH set vpn ipsec site-to-site peer SITE1 connection-type initiate set vpn ipsec site-to-site peer SITE1 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE1 tunnel 1 esp-group ESP-POLICY set system vrf A set interfaces eth0.10 vrf A set vpn ipsec site-to-site peer SITE1 local-vrf A set vpn ipsec site-to-site peer SITE1 tunnel 1 local-interface eth0.10 set system vrf B set interfaces eth1.20 address 10.0.0.3/24 set interfaces eth1.20 vrf B set vpn ipsec site-to-site peer SITE2 local-vrf B set vpn ipsec site-to-site peer SITE2 tunnel 1 local-interface eth1.20 del interfaces eth1.20 address set interfaces eth1.20 address 10.0.0.1/24 set vpn ipsec site-to-site peer SITE2 local-address 10.0.0.1 set vpn ipsec site-to-site peer SITE2 remote-address 10.0.0.2 set vpn ipsec site-to-site peer SITE2 tunnel 1 local prefix 10.0.0.1/32 set vpn ipsec site-to-site peer SITE2 tunnel 1 remote prefix 10.0.0.0/24 set vpn ipsec site-to-site peer SITE2 auth-profile AUTH set vpn ipsec site-to-site peer SITE2 connection-type initiate set vpn ipsec site-to-site peer SITE2 ike-group IKE-POLICY set vpn ipsec site-to-site peer SITE2 tunnel 1 esp-group ESP-POLICY
Step 4: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf A count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than A. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 A: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.350 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.350/0.350/0.350/0.000 ms
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.424 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.424/0.424/0.424/0.000 ms
Step 6: Ping IP address 10.0.0.2 from DUT0:
admin@DUT0$ ping 10.0.0.2 vrf B count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than B. PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 B: 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.439 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.439/0.439/0.439/0.000 ms
Step 7: Ping IP address 10.0.0.1 from DUT2:
admin@DUT2$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.407 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.407/0.407/0.407/0.000 ms
Step 8: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
ESTABLISHED, IKEv2 \d+ bytes,\s+\d+ packets local\s+(\d+\.){3}[13]\/32\s+remote\s+(\d+\.){3}2\/32Show output
vpn-peer-SITE1: #2, ESTABLISHED, IKEv2, 194c3f08c09c676e_i* ee9a35d69f4d50ae_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 20136s peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3308s, expires in 3959s in c28aa681, 168 bytes, 2 packets, 1s ago out c8eb5c55, 168 bytes, 2 packets, 1s ago local 10.0.0.1/32 remote 10.0.0.2/32 vpn-peer-SITE2: #1, ESTABLISHED, IKEv2, 01a988485ef36a24_i* 443302e2ba5e7bca_r local '10.0.0.1' @ 10.0.0.1[500] remote '10.0.0.2' @ 10.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 1s ago, rekeying in 19808s peer-SITE2-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:NULL_AES_GMAC-128 installed 1s ago, rekeying in 3296s, expires in 3959s in c4ac258c, 168 bytes, 2 packets, 0s ago out c8689bb9, 168 bytes, 2 packets, 0s ago local 10.0.0.1/32 remote 10.0.0.2/32